Skip to contentCYBERINFO
|

Control 5.13 : Labelling of Information

Summary

An appropriate set of procedures for information labelling should be developed and implemented in accordance with the information classification scheme adopted by the organization. Labelling provides a clear signal to users and systems on how the data must be handled.

Applicability

In-Scope: Necessary for ensuring that users are aware of the sensitivity of the data they are handling. It is essential for the effective operation of automated security controls like encryption or sharing restrictions.

Out-of-Scope: Only potentially reducible for very small organizations with extremely limited data types, though even basic labeling remains a best practice.

Implementation Guidance

Microsoft 365 / Entra ID

  • Metadata Tags: Utilize Sensitivity Labels to embed persistent metadata into files that travels with the data even when it leaves the Microsoft tenant.

  • Mandatory Labeling: Enable Mandatory Labeling policies in the Microsoft 365 Apps to force users to select a classification before saving or sending a document.

  • PDF Protection: Ensure that labels and protections are applied to PDF exports and other non-Office file types where supported.

Evidence Checklist

  • Labelling Procedures: Documented instructions for staff on how and where to apply labels (physical and digital).

  • Sample Evidence: Examples of labeled digital files, physical media, or printed reports.

  • Automation Logs: Records showing that automated labeling policies are correctly identifying and tagging sensitive content.

Practical Audit Advice

Here are some questions the auditor might ask:

  • In cases where digital labeling is not possible (e.g., specific legacy file types), how does the organization ensure users are aware of the classification?

  • How do you handle information received from third parties that may have a different labeling system than yours?

  • Can you show that the metadata labels are respected by your Data Loss Prevention (DLP) system to prevent unauthorized sharing?

  • What is the process for ensuring that physical media (like backup tapes or USB drives) are correctly labeled?